binding: Returns a reject promise when |this| is not of the type.

third_party/WebKit/Source/bindings/templates/methods.cpp.tmpl

Index: third_party/WebKit/Source/bindings/templates/methods.cpp.tmpl
diff --git a/third_party/WebKit/Source/bindings/templates/methods.cpp.tmpl b/third_party/WebKit/Source/bindings/templates/methods.cpp.tmpl
index a27c7725120fc9071f1412e353214e8dd55a3d17..5c39f7aee974734a7345edc7fa2ff63d02406410 100644
--- a/third_party/WebKit/Source/bindings/templates/methods.cpp.tmpl
+++ b/third_party/WebKit/Source/bindings/templates/methods.cpp.tmpl
@@ -13,15 +13,34 @@ static void {{method.name}}{{method.overload_index}}Method{{world_suffix}}(const
 
     {% set function_call = func_call_with_prep_of_args(method, world_suffix) %}
 
-    {% if 'exceptionState' in function_call %}
+    {% if 'exceptionState' in function_call or
+          (method.returns_promise and not method.is_static) %}
     {{define_exception_state}}
     {% if method.returns_promise %}
     ExceptionToRejectPromiseScope rejectPromiseScope(info, exceptionState);
     {% endif %}
     {% endif %}
 
+    {% set holder = 'info.Holder()' %}
+    {% if method.returns_promise and not method.is_static %}
+    // V8DOMConfiguration::DoNotCheckHolder
+    // Make sure that info.Holder() really points to an instance of the type.
+    {% if is_global or interface_name == 'WorkerGlobalScope' %}
+    // The empty v8::Signature makes info.Holder() the global proxy object
+    // instead of the global object, thus we need to retrieve the global object
+    // as the prototype object of the global proxy object.
+    v8::Local<v8::Object> holder =
+        info.Holder()->GetPrototype().As<v8::Object>();

[haraken, 2016/10/21 08:11:28]

Can we remove the additional complexity by using
V8XXX::findInstanceInPrototypeChain?

[Yuki, 2016/10/21 10:11:19]

I tried it, and I found it didn't work as expected.

If we used it,
    x = {}
    x.__proto__ = window
    window.fetch.call(x, 'foo')
works, although |x| is not an instance of Window interface.  IIUC, |fetch| must
return a reject promise of TypeError because |x| is not of type Window.

Instead of using finInstanceInPrototypeChain, I'd like to ask V8 team to pass
the global object (instead of the global *proxy* object) as info.Holder().

+    {% set holder = 'holder' %}
+    {% endif %}
+    if (!{{v8_class}}::hasInstance({{holder}}, info.GetIsolate())) {
+        {{throw_type_error(method, '"Illegal invocation"')}}
+        return;
+    }
+    {% endif %}
+
     {% if not method.is_static %}
-    {{cpp_class}}* impl = {{v8_class}}::toImpl(info.Holder());
+    {{cpp_class}}* impl = {{v8_class}}::toImpl({{holder}});
     {% endif %}
 
     {# Security checks #}
@@ -623,7 +642,9 @@ v8SetReturnValue(info, wrapper);
        'static_cast<v8::PropertyAttribute>(%s)' % ' | '.join(method.property_attributes)
        if method.property_attributes else 'v8::None' %}
 {% set only_exposed_to_private_script = 'V8DOMConfiguration::OnlyExposedToPrivateScript' if method.only_exposed_to_private_script else 'V8DOMConfiguration::ExposedToAllScripts' %}
-{"{{method.name}}", {{method_callback}}, {{method_callback_for_main_world}}, {{method.length}}, {{property_attribute}}, {{only_exposed_to_private_script}}, {{property_location(method)}}}
+{% set holder_check = 'V8DOMConfiguration::DoNotCheckHolder'
+       if method.returns_promise else 'V8DOMConfiguration::CheckHolder' %}
+{"{{method.name}}", {{method_callback}}, {{method_callback_for_main_world}}, {{method.length}}, {{property_attribute}}, {{only_exposed_to_private_script}}, {{property_location(method)}}, {{holder_check}}}
 {%- endmacro %}